Khalil Shreateh, a self-professed IT expert from Palestine, hit the headlines four years ago when he hacked Facebook CEO Mark Zuckerberg’s wall. Shreateh was frustrated that Facebook was ignoring a big security flaw, so demonstrating it on Zuckerberg’s own Facebook wall was an easy way to get the company to act. Shreateh discovered a security flaw in LinkedIn last month, and he reached out to The Verge after becoming frustrated that the company was ignoring his report — just like four years ago.
The flaw worked by smuggling more complex code into images hosted on the service. By altering the source value of a posted image, an attacker could execute a remote script when the user clicked on the picture. In the most troubling version of the exploit, the attacker could disguise that script as a LinkedIn authentication prompt, which could potentially trick users into sharing their password. The authentication prompt would even automatically pop up if a LinkedIn user simply visited the post and was logged out of the service. LinkedIn patched the flaw after being contacted by The Verge.
While the flaw would have needed to be executed on a LinkedIn account with a large following, or distributed to victims through a phishing email, it was easy enough to spot once Shreateh detailed it to The Verge. In correspondence seen by The Verge, LinkedIn security engineers initially dismissed the report as requiring “user intervention” to trigger, despite the authentication prompt popping up automatically if you viewed a post and weren’t logged in.
"I was amazed with the all replies I got from Linkedin,” explains Shreateh to The Verge. “Linkedin and other companies should take security issues on a top high level where a specialist security employee gives a direct response with any security report.” Shreateh isn’t a full-time security researcher, but he’s been investigating web flaws for around nine years now. CNN even visited Shreateh at his home in Palestine previously, and he has been awarded bug bounties for at least 10 Facebook exploits in the years following his Zuckerberg wall hack.
Shreateh’s obvious frustrations are understandable. Barely a week passes without a high profile security breach, often affecting thousands or millions of users. Researchers regularly report these vulnerabilities, and if companies are slow to respond then it puts users at risk. “After the researcher contacted us to disclose an issue on our platform, we actively engaged with them to understand it and quickly implemented a fix after we were able to reproduce the issue,” says a LinkedIn spokesperson in a statement to The Verge. “The issue had the potential to impact users only if they responded to a phishing email from an attacker and then entered their credentials. We do not believe any exploitation has occurred. We value our hard earned and well established track record of working with security researchers to protect our members."